almenscorner
commented
5 months ago How is the app registration setup, is it a multi-tenant app setup in the upstream tenant and added to the downstream?
Closed Jens1986-11 closed 2 months ago
almenscorner
commented
5 months ago How is the app registration setup, is it a multi-tenant app setup in the upstream tenant and added to the downstream?
almenscorner
commented
5 months ago Somewhere in the chain you are running in to permission issues
almenscorner
commented
5 months ago Also, given the log outputs, you are not running the latest version of IntuneCD (2.3.0), then the output would be in a different format
Jens1986-11
commented
5 months ago Hi
The tenant where the app is created is not a multi-tenant. The app is created through PowerShell, as I have been doing for all the other apps I've created. With other tests I've done with the same approach for the app, there were no problems.
I've recreated the app on both tenants where the problem occurs. But the problem is still there. I've now created a new demo tenant, ran the script, and now it just works.
After some more searching, I found where the problem occurs, in the settings for Windows Hello for Business on the enrollement page .
The first time, this had custom settings for the policy.
Later I've tried to just disable the settings by putting it back on Not Configured. But I left in the custom settings in the policy.
After putting everything back to default and running a new backup, the update then ran correctly.
but this was after the test with the new tenant, so not sure why it worked with those two tenants and not with these two.
Also is there a parameter to give to make sure that the pipeline uses version 2.3.0?
Thanks in advance
almenscorner
commented
5 months ago I will see if there is any way that I can replicate the behaviour you have described to understand what is happening.
Regarding the use of the latest version, all that is required is to run the pip install IntuneCD command without any version set like IntuneCD==2.2.3.
Jens1986-11
commented
5 months ago I've done some more testing, and the error appears when I enable Windows Hello under Windows enrollment.
Just enabeling it is enough to fail the update. Even when keeping the default values, it will still fail.
As for the version of IntunceCD when i run the pipeline the command is pip install IntuneCD but it wil install version 2.2.0
almenscorner
commented
5 months ago I managed to replicate and find out what is going on.
Windows Hello For Business settings require delegated permissions when updating the values, i.e. you must use interactive authentication as application permissions won't work. I will have to add a check for this payload and output that updating Windows Hello For Business is only possible when running with interactive auth.
Regarding the IntuneCD version, can you try this command and see if it successfully installs the newest version? pip3 install IntuneCD==2.3.0
Jens1986-11
commented
5 months ago Ok, no problem, good to know. Then this will be a manual setup for Windows Hello for us.
As for running the command, it produces the following error:
2024-04-05T07:50:59.4359335Z ##[section]Starting: Install IntuneCD 2024-04-05T07:50:59.4364256Z ============================================================================== 2024-04-05T07:50:59.4364392Z Task : Command line 2024-04-05T07:50:59.4364461Z Description : Run a command line script using Bash on Linux and macOS and cmd.exe on Windows 2024-04-05T07:50:59.4364577Z Version : 2.237.1 2024-04-05T07:50:59.4364640Z Author : Microsoft Corporation 2024-04-05T07:50:59.4364729Z Help : https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/command-line 2024-04-05T07:50:59.4364856Z ============================================================================== 2024-04-05T07:50:59.8115582Z Generating script. 2024-04-05T07:50:59.8125104Z Script contents: 2024-04-05T07:50:59.8125280Z pip3 install IntuneCD==2.3.0 2024-04-05T07:50:59.8125472Z ========================== Starting Command Output =========================== 2024-04-05T07:50:59.8143741Z [command]/usr/bin/bash --noprofile --norc /home/vsts/work/_temp/92365335-c749-4866-a60e-e1526a4ce5ed.sh 2024-04-05T07:51:02.4027211Z ERROR: Could not find a version that satisfies the requirement IntuneCD==2.3.0 (from versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.2.9, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.4.0b1, 1.4.0b2, 1.4.0, 1.4.1b1, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5b1, 1.4.5b2, 1.4.5, 1.4.6b1, 1.4.6, 1.4.7b1, 1.4.7, 1.4.8b1, 1.4.8, 1.4.9, 1.5.0, 1.5.1, 2.0.0b1, 2.0.0b2, 2.0.0b3, 2.0.0b4, 2.0.0b5, 2.0.0, 2.0.1, 2.0.2b1, 2.0.2, 2.0.3b1, 2.0.3b2, 2.0.3, 2.0.4b1, 2.0.4b2, 2.0.4b3, 2.0.4, 2.0.5b1, 2.0.5b2, 2.0.5, 2.0.6, 2.0.7, 2.0.8b1, 2.0.8, 2.0.9b1, 2.0.9b2, 2.0.9b3, 2.0.9b4, 2.1.0b1, 2.1.0, 2.1.1, 2.1.2b1, 2.1.2b2, 2.1.2b3, 2.1.2, 2.2.0b1, 2.2.0b2, 2.2.0b3, 2.2.0b4, 2.2.0b5, 2.2.0b6, 2.2.0b7, 2.2.0, 2.3.0b1, 2.3.0b2, 2.3.0b3, 2.3.0b4, 2.3.0b5, 2.3.0b6, 2.3.0b7, 2.3.0b8, 2.3.0rc1, 2.3.0rc2) 2024-04-05T07:51:02.4029561Z ERROR: No matching distribution found for IntuneCD==2.3.0 2024-04-05T07:51:02.4637412Z 2024-04-05T07:51:02.4686814Z ##[error]Bash exited with code '1'. 2024-04-05T07:51:02.4713499Z ##[section]Finishing: Install IntuneCD
almenscorner
commented
5 months ago I just tried in an Azure DevOps pipeline using the ubuntu-latest image and for me it is installing 2.3.0
Try run an update of pip before installing IntuneCD: pip3 install --upgrade pip
Jens1986-11
commented
5 months ago With ubuntu-latest its not working but if i user ubuntu-22.04 then ersion 2.3.0 is installed
almenscorner
commented
5 months ago Very interesting, latest should be ubuntu-22.04..
Describe the bug When i want to push an update to a new tenant, I get the following error on updateenrollmentConfigurations.py. "Tenant is not Global Admin or Intune Service Admin. Patch operation is restricted"_ If I run the backup with --exclude EnrollmentConfigurations the update then runs fine. I've even removed every custom setting under enrolment in the tenant where the backup comes from, but still no luck.
In previous test setups, I've never encountered this issue before.
Any insights are welcome.
To Reproduce Not sure what causes the issue, like I've written above, I've removed every custom setting in the enrollment page.
Expected behavior apply configuration with is does for to some extend see Pic2 The naming convention I've set gets applyed before the error.
Screenshots Pic 1:
Pic 2:
Pic 3: App rights
Pic 4: Update pipeline
Pic 5: Run when --exclude EnrollmentConfigurations is applyed to backup
Pic 6: Run when no excluded is applyed to backup
Run type (please complete the following information):
Additional context Add any other context about the problem here.